Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/14/2017
09:28 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

The Long Slog To Getting Encryption Right

Encryption practices have improved dramatically over the last 10 years, but most organizations still don't have enterprise-wide crypto strategies.

While enterprises are making meaningful progress on improving their encryption practices, there's still a lot of work to go. Several major studies out in the last several months have underlined the highs and lows of encryption trends out in the real world.

On the plus side, the most recent research out this week from Ponemon Institute and Thales shows that the existence of enterprise-wide encryption strategies has more than doubled in the last decade and organizations are responding to cloud risks with improved encryption deployments for data at rest and in transit. On the negative side, this study and other industry numbers suggest that we haven't yet reached the tipping point of more than half of organizations following best practices--and that a sizeable number of organizations that use encryption are making big mistakes along the way.

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types," says Dr. Larry Ponemon of Ponemon Institute. "Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy."

This is the twelfth year running of the Global Encryption Trends Study and Ponemon has found that since 2006, the ratio of organizations with enterprise-wide encryption strategies has risen from under 20% to over 40%. It's a steady drumbeat of improvement, but the fact remains that the majority of organizations still don't have such a policy. Nevertheless, the steady tick upwards and additional survey data show that worries about data security regulations, protection of intellectual property, and protection of customer data are all driving gradual change for end-to-end encryption.

Certain areas are better than others when it comes to the current state of encryption deployment.

For example, with data at-rest Ponemon found that approximately 61% of organizations report that they routinely encrypt employee and HR data, 56% encrypt payment data, 49% encrypt financial records and 40% encrypt customer data. Meanwhile, a study out last week from Venafi highlighted prevalence of encryption of data-in-transit, with 57% of organizations reporting they encrypt 70% or more of their external web traffic and 41% doing the same for internal network traffic.

According to the Ponemon study, enterprises' focus on encryption and key management is being spurred on by increased cloud adoption as more data moves into third-party data centers. Approximately 67% of organizations report that they either perform encryption on premises prior to sending data to the cloud or encrypt data in the cloud using keys they generate and manage on premises. An additional 37% also report that they encrypt some cloud data using methods that turn complete control of keys and encryption processes to the cloud provider.  

This most recent study doesn't offer a fine point on how much data is going to the cloud completely unencrypted--but data out in 2016 from HyTrust showed that number to be pretty alarming. According to that study, about 28% of all data within all cloud workloads remain unencrypted. Even more troubling, a different 2016 study from Ponemon and Gemalto found that 76% of organizations don't encrypt or tokenize sensitive data sent to SaaS applications.  

A recent breach at Scottrade earlier this month highlights why a lack of encryption in the cloud is such a risk for enterprises. The online brokerage exposed loan applications for 20,000 customers after a third-party IT services provider uploaded information to the cloud without any encryption mechanisms in place.

"The data breach at Scottrade exemplifies the one-strike law for security in the cloud. In the public cloud, a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked," says Zohar Alon, CEO of Dome9. "Even with strict security controls in place, breaches such as this still occur due to very basic process failures."

Lapses like the one at Scottrade exemplify why it is important to not only encrypt sensitive data in the cloud, but also lock down policies for inventorying data whether in the cloud or on premises, for when and how it is encrypted, for how access is configured, and for how keys are managed.  

"It’s vitally important to encrypt sensitive data at-rest, but encryption alone isn’t sufficient. Even encrypted data is designed to be accessed by applications and authorized personnel," says Tim Erlin, vice president of product management and strategy for Tripwire. "Organizations have to protect the access methods, in addition to encryption, in order to protect data.”

With regard to key management, the study out this week from Ponemon shows that there's again steady improvement but lots of room to grow. Approximately 51% of organizations have a formal key management policy, but hardware security module (HSM) usage is still only at 38%. Of those, nearly half own and operate an HSM on-premises to support cloud deployments. On a positive note, nearly six in 10 of organizations that use HSMs say they have a centralized team that provides cryptography as a service across their entire organization.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JohnCorrigan
50%
50%
JohnCorrigan,
User Rank: Apprentice
5/2/2017 | 10:40:19 AM
Encryption growing in popularity
It's great to see the growing acceptance of encryption.  One of the most important trends is encryption for data in motion in the cloud and to mobile.  This is where information rights management solutions are coming to the fore.  If you are interested in learning about Information Rights Management see What is Information Rights Management

 
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.